Audit Specialist Raises Concerns in the Cloud: Onsite Coverage

SAN ANTONIO — Credit unions planning to save money by using cloud computing should consider investing some of those savings in ensuring the security of their outsourced data and applications, a veteran IT audit specialist told attendees Monday at the CUNA Security Council Conference.

“It’s a very, very real supply chain, and unfortunately cloud-based facilities have been harnessed to facilitate malicious activities,” said John Rostern, managing director of Coalfire Systems in New York.

“You can’t control everything when you outsource,” Rostern said. “Your little slice of heaven may be in the Google cloud, and you may be very interested in just that, but you need to review supply chain security as much as you can. That’s because the cloud also is a beautiful thing to the bad guy who can sit on the beach and do bad things on his Android or iPhone.”

Rostern said the National Institute of Science and Technology has a working group drafting an “impediments and mitigations list” for use by federal regulators but that a lot of questions need to be answered.

For instance, he said, “how are examiners going to rule when they can’t walk around the center where your data actually is?” The 29-year IT and auditing veteran said his reading of the regulations is that it could go either way and that much remains to be seen.

Meanwhile, Rostern said, he advises credit unions be aware that their data can often be handled by not just third parties when they use cloud computing, but by fourth and even fifth parties by the time the applications and data find a permanent home.

That raises questions of retrieval, secure data erasure and other concerns, including the mixing of proprietary data with other companies’ information.

“Remember, cloud providers contract with you but then they contract with Rackspace.com or someone like that providing the physical space and storage. We’ve seen third-, fourth- and fifth-party provision of this. So how do you assess and manage the risk that’s directly outside the direct control of the subscriber?” Rostern asked.

“Don’t assume cloud-based data is backed up and recoverable,” he said. “You need to be thinking of investing a portion of the cost savings obtained by cloud computing services into increased scrutiny of the security capabilities of the provider.”